Page 1 of 1

passing values thro URL question????

Posted: Sun Jan 08, 2006 2:16 am
by PHPycho
hello friends
em back again with the new question
My question is about securing the webpages when passing variables thro URL.
I had done many query on the basis of variables passed thro URL..suppose i had friends editing section which displays the thumbnails of friends with a link as
<a href='...?module=editfriends&fren_id=xxx&axn=delete'>
when the user clicks on the link then query is performed as

Code: Select all

"DELETE from table WHERE fren_id='$_GET[fren_id]' AND user_id='$_SESSION[user_id]' LIMIT 1"
what i want?
suppose when the user goes directly thro URL and type= ......?module=editfriends&fren_id=yyy&axn=delete . then it performs the successful delete query .
what i want is to run the query only when the user clicks on the link rather than going directly thro URL.......
How to perform the secure Operation using $_GET[] variable (without passing the hidden variable using $_POST[])..????
any help n suggestion will be greatly apppreciated..

Posted: Sun Jan 08, 2006 4:49 am
by mickd
you just have to perform a check before the query to make sure the user is logged in and has the correct access level by either using an existing session created upon login or get them to re-enter their user/pass as validation.

Posted: Sun Jan 08, 2006 6:03 am
by timvw
mickd wrote: you just have to perform a check before the query to make sure the user is logged in and has the correct access level by either using an existing session created upon login
The problem is that if this user has another window, eg: one to browse example.com and this is an evil site with a <img src="http://yoursite/somescript.php?action=d ... =1&....."/> tag the user is still screwed.
mickd wrote: get them to re-enter their user/pass as validation.
Requiring the user to re-enter his credentials on critical operations is usually advised :) (Despite the trade-off in useability).

Posted: Wed Jan 11, 2006 10:58 pm
by PHPycho
what am i thinking is encoding the URL query string and retrieving the passed values after decoding it......
is that possible?? If Possible that willl solve my Problem
Can anbody explain in brief about the encoding and decodiing url query string and use it for security reasons?
i also heard the alternative way is URL cloaking ??
OR not?? Please help

Posted: Fri Jan 27, 2006 3:51 am
by ed209
I have started doing this recently. I have 2 functions encode and decode that load on every page. So when I need to create some variables to be passed using GET I do this.

these are the functions:

Code: Select all

<?php


	function my_encode_function($str){
				$encoded_str=urlencode(base64_encode($str));				
				return $encoded_str;
	}

	function my_decode_function($str){
				$decoded_str=urldecode(base64_decode($str));				
				return $decoded_str;
	}
?>
then when I want to create my URL + GET vars I:

Code: Select all

<?php

$the_url = "http://the_url/the_page.php?getvar=".my_encode_function("VALUE TO ENCODE");

?>
then at the above URL I just use:

Code: Select all

<?php

$decoded_val = my_decode_function($_GET['getvar']);

?>
I also think it's a good idea not to call the variables you pass something obvious like userid= or email=, I tend to use a single character like a= or b= and use it consitently throughout the site so I still know what they mean!

I no php expert though so better suggestions welcome!

Posted: Fri Jan 27, 2006 4:26 am
by tasteslikepurple
You could check the HTTP referer to check that the last thing that the user clicked on was from your website, and also that meanss that if they type in the URL instead of clicking something, the referer is empty. It's not a very ssecure way to do it though because there are ways to trick this variable.

Code: Select all

if ( strpos ( $_SERVER['HTTP_REFERER'], "www.yoursite.com" ) === false ) )
{  // not from your site
    // don't do anything
}
else
{
   // delete stuff from the database
}
I like ed209's idea of encoding the URL, but you'll need to do some kind of error checking because if the user changes one of the letters in the URL, when you de-code it, it will be a load of gibberish!

Posted: Fri Jan 27, 2006 5:33 am
by Maugrim_The_Reaper
See mickd's reply...

Url encoding does nothing for security - any user could decode the url, add other data, re-encode, etc. Checking any other browser data is also not secure - it can be faked simply by altering the headers sent in a request. So, you need to check the user making the request is valid, logged in, and has permission to do this. That may mean setting up some form of permission system (could be as simple as setting a permission level number in SESSION).

Finally - in case you're not already doing it. Use mysql_real_escape_string() or pg_escape_string() depending on your DBMS on all GET/POST variables before using them in queries. You might also want to check that incoming variables are what you expect.

For example is a variable should be a number, then check for this using ctype_digit() or is_numeric(). If alphabetic or alphanumeric (no punctuation, apostrophes, etc.) then use ctype_alpha() or ctype_alnum().

Only secure way is to ensure the user can perform this action - and filter/escape and variables coming from the URL string.

Posted: Fri Jan 27, 2006 6:18 am
by ed209
OK, I was misled about what base64_encode actually does, so a quick search on PHP.net I found http://uk.php.net/mcrypt.

So altering that slighly, would this be any more secure ?

Code: Select all

<?php

function encode_and_encrypt($string){
	$key = "THE KEY";
	$result = '';
	for($i=1; $i<=strlen($string); $i++){
		$char = substr($string, $i-1, 1);
		$keychar = substr($key, ($i % strlen($key))-1, 1);
		$char = chr(ord($char)+ord($keychar));
		$result.=$char;
	}
	
	$encoded_str=urlencode(base64_encode($result));
	
	return $encoded_str;
}

function decode_and_decrypt($string){
	$key = "THE KEY";
	$string=urldecode(base64_decode($string));
	
	$result = '';
	for($i=1; $i<=strlen($string); $i++){
		$char = substr($string, $i-1, 1);
		$keychar = substr($key, ($i % strlen($key))-1, 1);
		$char = chr(ord($char)-ord($keychar));
		$result.=$char;
	}
	return $result;
}

?>
Although I've noticed it makes the URL longer that 255 characters - is this still a problem these days?

Posted: Fri Jan 27, 2006 6:38 am
by Jenk
Yes it is a problem.

Store the content somewhere like a DB or even a session, then use an ID in a cookie or GET var's.

btw-

base64_encode() when used for this type of purpose is only good for omitting risky char's, it is NOT good for security.

Obscure != Secure.